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Thank you so much, Father, for that kind introduction. Thanks to you and to Fordham 
for making this possible. This has become one of the most important gatherings of 
people who care about cyber security from the government perspective, private 
perspective, and academia that there is and that’s thanks to your good work. 

I want to start though by saying—I’m glad you mentioned it—my heart is still heavy from 
Detective Liu’s funeral on Sunday and I wanted—I couldn’t be here in this great city 
without noting that. 

Echoing in my head are words from Bill Bratton at Detective Ramos’ funeral where he 
urged that we all find ways to see each other better. That law enforcement work to see 
the communities that we protect better and that the communities work to see law 
enforcement better. And those are very, very wise words. And especially given the 
events of the last day or so where two more officers were wounded, I hope that part of 
that seeing involves an appreciation for just what policing involves. How hard it is. How 
dangerous it is. But I think there’s an important conversation going on in this country 
right now about race and policing and I hope to have more to say about that in the next 
couple of weeks. 








But I’m here today to talk about cyber. Before I get to that, let me also say that my heart 
goes out to the people of France and Paris this morning. We’re thinking of them. We 
have, the FBI, a very close relationship with our partners in the French law enforcement 
and counterterrorism communities. We are working with them. We will do everything we 
can to help them bring to justice the perpetrators of the atrocity that happened in Paris 
earlier today. So we’re thinking of our friends and partners in Paris this morning. 

Let me turn now to the reason that I’m here, which is to talk to you about how we at the 
FBI are thinking about cyber security and the cyber threat. I want to talk a little bit about 
some of the recent cases. In particular, I want to give you some new information about 
the investigation that we’re doing into the Sony hack perpetrated by the North Koreans. 

Let me start by telling you what you know, which is that everything has changed in ways 
that are so fundamental that it’s difficult to describe what it means when we say the 
world is changing because of cyber. Now, I find that in all things cyber there’s a lot of 
nodding and I worry there’s not a lot of understanding behind the nodding at times. And 
so I always look for ways to describe just how fundamental the transformation we’re 
standing in the middle of is. 

And Cisco provided some stats that I saw recently that I just wanted to mention as I 
start. In 2003 there were 6.3 billion human beings on the earth and 500 million devices 
connected to the Internet. In 2010 there were 6.8 billion people on the earth and 12.5 
billion devices connected to the Internet. One-point-eight-four per person. 

Cisco projects that in 2020, now just five years away, there will be seven billion people 
on the earth and 50 billion devices connected to the Internet. Six-and-a-half devices on 
average per person. As a father of five young adults and teenagers, I think we are—in 
my household we’ve exceeded the 6.5 number. We’re carrying the load for a lot of you 
who are not keeping up. 

But there is no doubt that everything has changed because we’ve connected our entire 
lives to the Internet. That is why, because all of life is there, that all of the parts of life 
that the FBI is responsible for trying to protect—whether it criminal, counterintelligence, 



counterterrorism, protecting children, fighting fraud—it all happens there because that’s 
where life is. 

What I want to tell you this morning, now afternoon, is how we’re thinking about the 
threat, what our strategy is for the threat, addressing the threat, and why our partners in 
the private sector matter so much to us being successful in fighting the threats we’re 
responsible for. 

Let me start with the threat. I actually try to describe to people in very simple ways what 
we’re talking about today because I don’t see cyber as a thing, I see it as a way. As a 
vector. Because my children play on the Internet. Because that’s where I bank. Because 
that’s where my health care is. Because that’s—I don’t have a social life, but if I had 
one, that’s where I’m sure it would be. That’s where our nation’s critical infrastructure is, 
that’s where our government’s secrets are and that’s—because life is there, that’s 
where bad people come who want to hurt children, who want to steal money, who want 
to take identities, who want to steal secrets, who want to damage dams and critical 
infrastructure in the United States. It’s the way they come at us because that’s where 
life is. 

I harken back to what I believe was the great vector change that gave birth to the FBI. 
And this popped in my head when I was visiting the field office that we have in 
Indianapolis. A local sheriff gave me a round that had been fired from John Dillinger’s 
Thompson submachine gun. It occurred to me that the great vector change of the 
1920’s into the 1930’s was the confluence of the automobile and asphalt. It gave birth to 
an entirely new way of doing bad things. 

Suddenly criminals could move at breathtaking speeds, right? Forty miles an hour. Fifty 
downhill. Right? They could go from Ohio to Indiana to Illinois in the same day and do 
bank robberies in each of those locations. They were blowing away traditional notions of 
county line and state line. Right? It was straining the framework that law enforcement 
used and so a national force was needed and there was—I’m the seventh director— 
there was the first director of the FBI, J. Edgar Hoover. And a national force was born to 
respond to that entirely new way of crimes being committed. A new vector that required 
a new approach. 



This is that times a million. Dillinger or Bonnie and Clyde could not do a thousand 
robberies in all 50 states in the same day from their pajamas from Belarus. That’s the 
challenge we face today. The traditional notions of space and time and venue and 
border and my jurisdiction and your jurisdiction are blown away by a threat that moves 
not at 40 miles an hour or 50 downhill, but at 186,000 miles per second. The speed of 
light. 

Traditional notions, frameworks, are destroyed by that kind of threat. That requires 
every part of the FBI, those who are spending their days protecting kids, fighting fraud, 
fighting spies, fighting terrorism, protecting intellectual property, all of those things; it 
requires those people to be digitally literate. It requires me to have the right kind of 
people, the right kind of equipment and deploy them in a way that deals with a vector 
change that is mind boggling compared to the Dillinger era. 

So what to do? Let me turn to our strategy. The first thing to do though is adopt an 
attitude of humility. I think we stand in the single greatest transformation in human 
history and anybody who stands here and says, “I know what five years from now looks 
like, I know what 10 years from now looks like, and therefore the FBI should be 
deployed and equipped in the following way,” is arrogant and, in my view, foolish. 

I have to approach this with a sense that we have never seen this before. So I have to 
be humble enough to say, I’ll take things that seem reasonable, I’ll get feedback, and I’ll 
iterate. So we approach it, I hope, with humility. 

And then we devise a five-point strategy. We’re going to try to focus ourselves, we’re 
going to try to shrink the world, we’re going to try to impose real costs on bad actors, 
we’re going to try to improve our relationships with state local law enforcement and 
most importantly of all, we’re going to try to improve our relationship, our battle rhythm, 
our working relationship with private sector partners. 

Let me say a word about what I mean by each of those. 


Focus. Because this affects everything that we might be inclined to deal with, we can’t 
do it all. And so what we’re trying to do in the FBI is figure out so where should our 



resources be deployed. And we think it makes sense to go against the biggest. The 
worst. The baddest. And think about what to go after given what’s unique about the FBI. 
We have international reach and we have significant resources. So given that, what 
should we focus on? And there’s a lot to choose from as you know. 

I have been teased repeatedly, but I’m not giving up describing the threat we face as an 
evil layer cake with nation states at the top...terrorists, organized criminal actors, 
sophisticated worldwide botherders and botnets, hacktivists, weirdoes, bullies, 
pedophiles, creeps...all kinds of people at the lower levels of the layer cake. 

We’re going to try to focus on the top layers of that cake and focus ourselves on the 
nation state actors and the biggest, the most extensive, the most dangerous criminal 
syndicates and international operations. Where can we make the biggest impact for the 
investment of resources? 

We’re also, as we focus those resources, going to try to deploy them in a different way. 
As I said, this vector change blows away traditional notions of, well, this is my area of 
responsibility, this is your area of responsibility. This is my judicial district, that’s your 
judicial district. Blown away by a threat that’s moving as a photon. 

And so we’re going to assign this work not based on some notion of physical fixed 
jurisdiction or venue. We’re going to assign it where the talent is. So what we’re doing is 
looking across the FBI and saying, “Where is the talent to deal with this particular 
threat?” And we will assign that threat to that field office. It could be at one corner of the 
country or the other corner of the country. It’s where the talent is. And then we’ll allow 
up to four other offices to support that effort, to help the primary assigned office. We call 
this the cyber threat team model. Seems to make good sense to me. I don’t know. 
We’ve never done it before. We’re trying it and we’re getting feedback from people to 
see whether it works and whether we need to iterate and change in some fashion. 

Second, shrink the world. What do I mean by that? The bad guys have shrunk the world 
on us. They’re sitting in their pajamas half way around the world. They’re in a military 
uniform half way around the world moving at the speed of light. Blowing away the 
traditional notions. Shrinking the globe to the point of the pin. We have to do the same. 



So we’re trying to do a couple different things to respond to that. We’re going to 
forward-deploy more and more cyber special agents of the FBI and intelligence analysts 
of the FBI in our foreign partners’ offices around the world to make sure that our battle 
rhythm tries to keep up with the threat that’s moving that fast. To forward deploy so we 
have no gap between when the threat is seen and when someone acts on it. 

And the second thing we’re going to do is, within the government, try to continue to 
improve at getting our act together at dividing up our resources between organizations 
in the government. 

As I’ve said before, when I left government in 2005, I described our response to the 
cyber threat as a bit like 4-year-old soccer. I have five children as I think I said, and I 
watched a lot of 4-year-old soccer and it is clumps of children chasing the ball. Because 
the ball is the cool thing so you want to be near the ball at all times so in big clumps 
they chase the ball. Cyber was very cool. All of us in government knew we had to do 
something about cyber, so there was a big clump of us running around chasing it. 

Now that I’ve come back—I’ve been back a year and four months now. I saw when I 
came back we’ve made significant progress. We’re probably high school, college-level 
soccer. We spread out. We know we have to pass. We know it’s important to know 
where you are on the field. Everybody shouldn’t be following the ball. But we’re facing a 
World Cup-level adversary. We have to get better at feeding each other the ball when 
we need it and doing it at machine speed. 

We have built as a government something called the National Cyber Joint Investigative 
Task Force, NCIJTF, where 19 federal agencies sit together and divide up the work. 

See the threat, see the challenge, divide it up and share information. That’s great. 

That’s one significant down payment on moving toward World Cup-level soccer, but we 
have more to do. 

I said we need to impose costs. What do I mean by that? I worry sometimes that 
whether the actor is a nation state or a criminal or a creep down the block, there’s a 
sense that it’s a freebie. That if I’m at a keyboard somehow it’s free that I can break in 
and steal the lifeblood of an American business or steal the identity of an American 



citizen when it is in reality no different than kicking in your front door and walking out 
with your television, right? Or dragging something you love dearly out of your life. 


We have to treat it that way. We have to impose real costs on people who think they’re 
alone...think they’re far enough away that it’s a freebie. And the first way we need to do 
that is, as often as possible, lay hands on people and lock them up. Often when I say 
that people say, “Well, these people are far away and they’re in foreign countries.” I’m 
not saying it’s easy, but we are dogged people. Never say never. 

As the world shrinks and people travel, we have more and more opportunities to lay 
hands on people who think they perpetrated a freebie in an effort to make it a real cost. 
So we’re going to try to lay hands on people or get our partners to lay hands on people 
as often as possible. 

The other thing we’re going to do is when we can’t lay hands on people, as often as 
possible, we’re going to call out the conduct. And as often as we possibly can we’re 
going to say here’s what happened and who did it. It’s why I thought it was so important 
that the indictment was returned out of the Western District of Pennsylvania indicting the 
five People’s Liberation Army actors for a naked theft of the lifeblood of American 
companies. I thought it was very, very important to have that be a public indictment and 
explain the conduct. 

For the same reason, I thought it was very, very important that we as a government, we 
as an FBI, said we know who hacked Sony. It was the North Koreans who hacked 
Sony. And call out that conduct and explain it. That is why we have, as much as we can, 
tried to offer our attribution and the whys behind our attribution. 

The destructive nature of that attack proves that everyone has to take cyber security 
seriously. It could happen to anybody in this room. The Treasury Department’s recent 
sanctions against North Korea, I think, are an important signal of how seriously the 
government takes these events. Alright? That there will be consequences for those who 
use malicious cyber activity to harm Americans or harm American businesses. 



As you know, we at the FBI and the entire intelligence community have previously 
attributed these attacks to North Korea and we continue to believe that is the case. 
There is not much in this life that I have high confidence about. I have very high 
confidence about this attribution, as does the entire intelligence community. 

So how do we know that? Why do I have such high confidence in this attribution to 
North Korea? Well, here’s the tricky part. I want to show you as much as I can, the 
American people, about the why and I want to show the bad guys as little as possible 
about the how. Okay? How we see and what we see. Because it will happen again and 
we have to preserve our methods and our sources. 

There are a couple of ways we’ve already said, right? You know that the technical 
analysis of the data deletion malware from the attack shows clear links to other malware 
that we know the North Koreans previously developed. The tools in the Sony attacks 
bore striking similarities to a cyber attack that the North Koreans conducted in March of 
last year against South Korean banks and media outlets. 

We’ve done a—I have, as you may know from watching “Silence of the Lambs,” people 
who sit at Quantico.. .very dark jobs. Their job is trying to understand the minds of bad 
actors. That’s our behavioral analysis unit. We put them to work studying the 
statements, the writings, the diction of the people who claim to be the so-called 
Guardians of Peace in this attack. We compared it to other attacks that we know the 
North Koreans have done and they say, “Easy for us. It’s the same actors.” 

We brought in a red team from all across the intelligence community and said, “Let’s 
hack at this. What else could be explaining this? What other explanations might there 
be? What might we be missing? What competing hypothesis might there be? Evaluate 
possible alternatives. What might we be missing?” And we end up in the same place. 

Now, I know because I’ve read it in the newspaper and I’ve seen it on the news, that 
some serious folks have suggested that we have it wrong. I would suggest—I’m not 
suggesting. I’m saying. They don’t have the facts that I have, don’t see what I see, but 
there are a couple things that I have urged the intelligence community to declassify that 
I want to tell you right now. 



The Guardians of Peace would send e-mails threatening Sony employees and would 
post online various statements explaining their work. In nearly every case they used 
proxy servers to disguise where they were coming from in sending those e-mails and in 
posting those statements. 

But several times they got sloppy. Several times, either because they forgot or because 
they had a technical problem, they connected directly and we could see them. And we 
could see that the IP addresses that were being used to post and to send the e-mails 
were coming IPs that were exclusively used by the North Koreans. 

It was a mistake by them that we haven’t told you about before that was a very clear 
indication who was doing this. They would shut it off very quickly once they realized the 
mistake, but not before we saw them and knew where it was coming from. 

As I said, we have a range of other sources and methods that I’m going to continue to 
protect because we think they’re critical to our ability—the entire intelligence 
community’s ability—to see future attacks and to understand this attack better. We have 
brought them all to bear in this situation and I remain where I started—not with just high 
confidence, but very high confidence that the North Koreans perpetrated this attack. 

We’re still looking to identify the vector. How did they get into Sony? We see so far 
spear phishing coming at Sony in September—as late as September of this year. We’re 
still working that and when we figure that out we’ll do our best to give you the details on 
that, but that seems the likely vector for the entry into Sony. 

Overall we think this investigation is a prime example as well of the importance of 
public-private partnerships which I’m going to talk about in a second. Sony did the right 
thing here. The moment they knew they had this problem they reached out to the FBI 
and have been a great partner ever since in trying to unwind it, understand the nature 
and scope of the attack, and identify the perpetrators. 

So there is no doubt that imposing costs, both laying hands on people and calling out 
bad conduct, has to be part of the FBI strategy, and it will be. 



Fourth. We need to get better at helping our state and local partners deal with the threat 
because all manner of crimes that we don’t have the resources and time to get to are 
appearing for the county sheriffs, the local police departments, the local DAs. 

Their citizens are saying, “I was ripped off. Somebody sent me an e-mail saying the FBI 
director needs me to wire this money to Nigeria and I wired it. And so I need help.” 

I don’t want anyone within the sound of my voice—I never want you to wire money to 
me anywhere on the earth. 

We need to equip our state and local partners to be able to be digitally literate and to 
conduct their investigations in responding to the same threats coming through the 
vector that is cyber. And so one of the things we’re trying to do is work with the Secret 
Service to offer training to the 17,000 state and local law enforcement organizations in 
this country to equip their people to be digitally literate. A ton of work going on there. 
Lots more needs to be done. 

And then last, the fifth part of the strategy is the importance of increasing our 
cooperation and improving our cooperation with our private partners. Let me say why 
this matters so much. I think you get this. All of it is in your world, private sector 
partners. Invariably, that’s where the victims are. That’s where the information is that we 
need in order to be able to respond to actions by nation states, by terrorists, by 
hacktivists, by all—the entire layer cake manifests itself on your networks and on your 
systems. If we can’t find a way to effectively share that information to those of us with 
the enforcement powers, we’re sunk. 

You also see things. You have tremendous brains in the private sector. You see things. 
You think of things that could be tremendously useful to us. We have to find ways, 
productive ways, to get the content of your brain into the government. 

Without effective sharing, I’m a bit like a police officer patrolling a street with 50-foot 
high walls. Solid walls on either side of the street. I can tell you the street looks fine. The 
little piece of the world that I can see clearly, it looks clean to me. If I can’t see through 
that 50-foot wall into that neighborhood, I have no ability to help make it safe or to even 



tell you what’s going on there. We have to find a way to make those walls in some 
fashion at least semi-permeable so we can share information. 


This is not easy. I know some of the frustration on the private sector side. As I have 
said, I was the general counsel of two companies before coming back to government, 
and I’ve been in lots of conversation that went like this. “Why doesn’t the government 
tell us something?” Right? “What are they going to do with what we tell them? What if it 
leaks? What if it gets used against us in a competition? What if we get accused of lying 
to somebody? What if we get sued? What are our shareholders going to think? What’s 
the board going to think? Why can’t the government tell us things that we can actually 
do something about?” 

I understand some of the challenges that lay there right now. I think we need clearer 
rules for the private sector...to offer clear rules of the road for what will happen to what 
you share and what we need you to share. Right? We need better technology. Be able 
to share information both ways more effectively and more quickly. You need protection. 
You need guidance. I need information. 

We have made significant progress in a lot of the different parts of the American 
economy in sharing, but there are a bunch of impediments that remain. Mechanical, I 
mentioned. Legal, I mentioned. And then there’s one that’s harder to describe, but feels 
very real to me, and that is cultural. 

In the wake of Mr. Snowden’s so-called revelations, there’s a wind blowing that I worry 
has blown what is a healthy skepticism of government power—I think everybody should 
be skeptical of government—to a cynicism so that people don’t want to be with us 
anymore. Meet us out behind the 7-Eleven late at night and I’ll talk to you as long as 
nobody sees me. Or wear a bag over my head to a meeting with the government. 
Because there is this wind blowing that there’s something bad if you’re touching the 
United States Government. We have to build even though there’s that wind. We’ve got 
to do our best to speak into that wind to try to explain how we’re using our authorities in 
the government. But we simply cannot fight this threat without talking to each other. 
Without building effective bridges despite the wind that’s blowing. 



So that’s our strategy. Focus ourselves, shrink the world, impose real costs, get better 
at cooperating with our state and local partners and maybe most of all, get better at 
cooperating with our private sector partners. 

Before I leave you though I want to mention something that I know Cy Vance mentioned 
today because he’s been a leader on this—the problem of what we call Going Dark. 

This is very, very important to us in law enforcement. Especially in law enforcement. We 
are drifting to a place in this country without serious public discussion that I don’t think a 
democracy should drift to without discussion. 

When I left government in 2005, there was a significant Going Dark problem with data in 
motion. We were increasingly finding ourselves in a place where we went to a judge, we 
got a court order, we showed probable cause, we had permission to intercept data in 
motion and we couldn’t. 

That problem was kind of blinking off to my periphery in 2005. When I came back in 
2013, it’s blinking directly in front of me because of the proliferation of communication 
modes, right? The hundreds and hundreds of apps through which people communicate. 
We’re making it increasingly difficult for us with lawful authority, especially in our 
criminal work, to be able to intercept the communications of drug dealers, organized 
criminals, of bad people of all sorts with court approval. 

But there’s another dimension to it that made it blink even more brightly—directly in 
front of me. Not just the data motion. Increasingly what we’re finding ourselves up 
against is data at rest that is sitting in a place or in a device that, even with a search 
warrant, we can’t get access to. And this is everywhere in law enforcement. 

There used to be a day in the good old days of law enforcement, you get a search 
warrant, you enter a drug location and the knuckleheads would have written down in 
one of those black composition books who got what and how many kilos there were and 
you take the book and you would photocopy it and give it to the prosecutor and you 
would be good to go. Now we encounter a thumb drive, a PDA, a laptop, a tablet.. .and 
increasingly we’re encountering devices that we cannot get access to even with lawful 



authority. To me, this is not about the government wanting to whack people’s privacy. 
I’m a big fan of privacy. I don’t want the government, without lawful authority, going 
through anything of mine. 

This, though, is about us drifting to a place where there will be zones beyond the reach 
of the law in the United States. The Fourth Amendment is one of the most important 
parts of this entire democracy because the government may not search and seize the 
people’s papers and effects without a warrant. But now we’re drifting to a place that, 
even with a warrant, there will be papers and effects, even with court authority, that are 
beyond the reach of the law. Maybe we want to go there. Maybe that’s where we want 
to end up as a democracy. Maybe people decide that privacy is that important. But I 
don’t think we’re talking about it enough. I don’t think we’re thinking about, “So what are 
the trade-offs involved there?” 

My job, I don’t believe, is to tell people what to do. I mean, in a democracy, the people 
should decide what to do. My job, I think, is simply to say there are significant public 
safety implications here and let’s talk about it before we get to the place that Cy Vance 
talks about. Where people look at us with tears in their eyes and say, “What do you 
mean you can’t? What do you mean you can’t? This little girl has disappeared. What do 
you mean you can’t tell me who she was texting with before she disappeared? You’ve 
got the phone. You’ve got a court order.” Before we get to “what do you mean you 
can’t,” I think we’ve got to talk about it as a people. 

So, in conclusion, thank you for being here. Just that you’re attending this conference is 
a sign that you get the significance and the challenge we face that cyber has truly 
changed everything we’re responsible for. Thank you especially to those of you in the 
private sector for making us smarter, for pushing us, for asking hard questions. I meant 
it when I said people should be skeptical of government. Ask hard questions. We will 
learn from your questions. 

Thank you for helping us catch the bad guys that are trying to do so much harm to you. 
And most of all, thank you for the work that I think we will do together in a lawful, 
appropriate way to protect the American people. Thanks for listening. 




